Group owner can not add members to a group

I’m pretty sure this used to work.

Expected Behavior
Group owners can add members to the group using the “add members” modal.

Observed Behavior
Group owners see the “add members” modal, but when trying to submit it, they get a 403 error (forbidden).

Observed on two separate sites.

Here’s a screenshot for ya:

4 Likes

It is still working on 2.7.0.beta9 ( 4a2912233c )

3 Likes

Just pulled the latest code from github and re-tested. Confirmed that it’s broken. Steps to reproduce:

  1. Create a new user, this user should not be a moderator or an admin.
  2. Create a new group with the following settings: Allow users to leave the group freely=True, Allow users to send membership requests to group owners=True, Who can see this group?=Everyone, Who can see this group's members?=Everyone, Who can @mention this group?=Only moderators and admins, Who can message this group?=Only moderators and admins.
  3. Set the user to be the owner of the group.
  4. While signed in as the group owner, try to add a different user to the group.
4 Likes

I assume the user is TL2 or > ?

3 Likes

I was able to get to the bottom of this.

Here’s the line that was causing trouble: discourse/groups_controller.rb at e2e13a70f63605b92b4e521cc9f818061c1ccfb6 · discourse/discourse · GitHub

@Benjamin_D got it right. It’s a TL issue.

There’s a site setting min_trust_level_to_allow_invite, this was set to TL2 while the group owner had TL1.

Should a group owner be allowed to invite users to the group without meeting the trust level req? Seems confusing.

8 Likes

:thinking: you’re right, I guess he should ? Or maybe he shouldn’t be owner if he doesn’t meet the TL criteria ?

5 Likes

That would make sense too.

Or even just adding a more specific error to this.
E.g. instead of raising the InvalidAccess error with the (en) message: You are not permitted to view the requested resource.

Create a InsufficientTrustLevel error (perhaps as a subclass of InvalidAccess) with a (en) message: You do not have the required trust level to view the requeted resource. At least then admins can know it’s a TL issue and not a bug.

Some notes on where this stuff is defined in the codebase

I can make a PR for that if it it seems like the way to go.

6 Likes

While I agree we need a better error message here, I actually think we regressed here.

A group owner’s role is to manage the membership of their group. If they can’t invite/add users to their group, then the feature is half broken…

@dan can you add that to your list?

8 Likes

Great sleuthing, everyone!

I may be wrong, but I think this situation has arisen as part of the work we’re doing on improving the invite system. We are normalizing invites so they all use the same invitation system, and separating out the functions dealing with existing users. Most recently, we changed it so we notify existing users about topics now via the share button in the topic menu, separately from inviting new users to join the site and contribute to the topic.

We’ll want to do the same for groups - it’s already on our list to work on this, but now I guess it’s become more urgent if it means it’s not possible to add anyone to a group if you don’t have sufficient TL to invite new users to the site.

6 Likes

That limit makes sense when inviting emails to groups. However, it does not make sense when inviting existing users. I fixed this issue in:

This will fix the problem for now, but we are expecting to revamp this area.

7 Likes

This topic was automatically closed after 2 days. New replies are no longer allowed.